commit be20eb4a509b539ff2bd6a706777e605bcf78ee9
parent c09ae60167ca2a2f250e9a31db135b0bf123ed66
Author: Solderpunk <solderpunk@sdf.org>
Date: Sun, 7 Jun 2020 20:42:19 +0200
Add docstrings for client cert methods.
Diffstat:
M | av98.py | | | 33 | +++++++++++++++++++++++++++++++++ |
1 file changed, 33 insertions(+), 0 deletions(-)
diff --git a/av98.py b/av98.py
@@ -679,7 +679,19 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
return addresses
def _validate_cert(self, address, host, cert):
+ """
+ Validate a TLS certificate in TOFU mode.
+
+ If the cryptography module is installed:
+ - Check the certificate Common Name or SAN matches `host`
+ - Check the certificate's not valid before date is in the past
+ - Check the certificate's not valid after date is in the future
+ Whether the cryptography module is installed or not, check the
+ certificate's fingerprint against the TOFU database to see if we've
+ previously encountered a different certificate for this IP address and
+ hostname.
+ """
now = datetime.datetime.utcnow()
if _HAS_CRYPTOGRAPHY:
# Using the cryptography module we can get detailed access
@@ -900,6 +912,10 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
print(debug_text)
def _load_client_cert(self):
+ """
+ Interactively load a TLS client certificate from the filesystem in PEM
+ format.
+ """
print("Loading client certificate file, in PEM format (blank line to cancel)")
certfile = input("Certfile path: ").strip()
if not certfile:
@@ -919,6 +935,10 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
self._activate_client_cert(certfile, keyfile)
def _generate_transient_cert_cert(self):
+ """
+ Use `openssl` command to generate a new transient client certificate
+ with 24 hours of validity.
+ """
certdir = os.path.join(self.config_dir, "transient_certs")
name = str(uuid.uuid4())
self._generate_client_cert(certdir, name, transient=True)
@@ -926,6 +946,10 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
self.transient_certs_created.append(name)
def _generate_persistent_client_cert(self):
+ """
+ Interactively use `openssl` command to generate a new persistent client
+ certificate with one year of validity.
+ """
print("What do you want to name this new certificate?")
print("Answering `mycert` will create `~/.av98/certs/mycert.crt` and `~/.av98/certs/mycert.key`")
name = input()
@@ -936,6 +960,11 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
self._generate_client_cert(certdir, name)
def _generate_client_cert(self, certdir, basename, transient=False):
+ """
+ Use `openssl` binary to generate a client certificate (which may be
+ transient or persistent) and save the certificate and private key to the
+ specified directory with the specified basename.
+ """
if not os.path.exists(certdir):
os.makedirs(certdir)
certfile = os.path.join(certdir, basename+".crt")
@@ -947,6 +976,10 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
self._activate_client_cert(certfile, keyfile)
def _choose_client_cert(self):
+ """
+ Interactively select a previously generated client certificate and
+ activate it.
+ """
certdir = os.path.join(self.config_dir, "client_certs")
certs = glob.glob(os.path.join(certdir, "*.crt"))
certdir = {}